Rewterz Threat Advisory – CVE-2020-26288 – Node.js parse-server module information disclosure
January 1, 2021Rewterz Threat Alert – Nanocore – IoCs
January 4, 2021Rewterz Threat Advisory – CVE-2020-26288 – Node.js parse-server module information disclosure
January 1, 2021Rewterz Threat Alert – Nanocore – IoCs
January 4, 2021Severity
High
Analysis Summary
Multiple fake/evil twin pages of “HBL Internet Banking” have been found targeting users to rob them off from their credentials. A domain “https[:]//airac[.]org[.]do” having fake/evil twin pages of “HBL Internet Banking” hosted on it. The purpose of these fake/evil twin pages is to steal the credentials of the Internet Banking users.
Moreover, upon analysis we have found that the fake/evil twin Internet Banking pages of different Banks of Pakistan and FBR return portal showing Internet Banking Links and Images of different Pakistani Banks on the same domain.
These type of urls are mostly used in phishing email campaign as the URLs are anchored behind any image or legitimate text and upon clicking the users are directed to the fake Internet Banking Pages so that the user enters the details and other confidential details like OTP, Transaction Code/Password, Card Number and CVV.
Impact
- Credential theft
- Exposure of sensitive data
- Financial loss
Indicators of Compromise
URL
- https[:]//airac[.]org[.]do/fbr/fbr2021/allaccounts/hbl[.]com[.]pk/hbl[.]com[.]pk
- https[:]//airac[.]org[.]do/fbr/fbr2021/allaccounts/hbl[.]com[.]pk/hbl[.]com[.]pk/hbl[.]php
- https[:]//airac[.]org[.]do/fbr/fbr2021/allaccounts/hbl/hbl[.]html
- https[:]//airac[.]org[.]do/fbr/fbr2021/allaccounts/hbl/hbl2[.]html
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.